wireless networks: challenges, threats and solutions
DESCRIPTION
Wireless Networks: Challenges, Threats and Solutions. Shehla Rana Furquan Shaikh. Talk Outline. Introduction to wireless networks How wireless is different Misbehavior in Wireless Networks Security Threats in Wireless Networks IEEE 802.11 Security Tools . Wireless Networks. - PowerPoint PPT PresentationTRANSCRIPT
1
Wireless Networks: Challenges, Threats and Solutions
Shehla RanaFurquan Shaikh
2
Talk Outline• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
• IEEE 802.11 Security Tools
3
Wireless Networks• Computing and communication
services, over the air, on the move
• Infrastructure-based Networks
• Ad hoc Networks
4
Infrastructure Mode• Single hop wireless connectivity
o An Access Point is responsible to communicate with end-points in its “jurisdiction”
Wired Network
Wireless AP
5
Mobile Ad Hoc Networks (MANET)
• No access point• Network formed by multiple wireless end-
points• Multi-hop wireless links• Data must be routed via intermediate nodes
• Host movement/ topology change may be frequent
A B AB
6
Why Ad Hoc Networks ?
• Setting up of fixed access points and backbone infrastructure is not always viableo Infrastructure may be absent/destroyed
in a disaster area or war zone
oEasy, fast deployment
oDo not need backbone infrastructure support
7
Wireless Mesh Networks (WMN)
• No Access Point
• Multiple, autonomous wireless end-points relaying data for each other
• Little or no mobility
• Long-term applications
• Weaker energy constraints
8
Wireless Sensor Networks (WSN)
• A class of Ad-hoc/mesh networks
• Composed of small, inexpensive, resource constrained devices
• Sensing data usually directed towards a single “Sink”
• Multi-hop wireless links
9
Talk Outline• Introduction to wireless networks
• How is Wireless different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
10
How is wireless different?
• Can we apply media access methods from fixed networks?o CSMA/CD?o Send when medium is free, listen into the
medium for collision
• Medium access problems in wireless networkso sender may apply CS and CD, but collisions
happen at receivero sender may not ‘hear’ the collision, i.e., CD
doesn’t worko CS might not work, e.g. ‘hidden’ terminals
11
MAC: Collision Avoidance• Collision avoidance: Once channel
becomes idle, wait for a randomly chosen duration before attempting to transmit
• IEEE 802.11o When transmitting, choose a backoff in range
[0,cw]; o Count down backoff when medium is idleo Count-down suspended if medium becomes
busyo When backoff interval reaches 0, transmit
12
Talk Outline• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
13
• Misbehavior at the MAC layero Impatient Transmitterso Solutions and Challenges
• Misbehavior at the network layer o Drop, corrupt packetso Misroute packetso Solutions and Challenges
Misbehavior in Wireless NWs: Outline
14
Possible Misbehaviors:“Impatient” Transmitters
• Choose smaller Backoff
• Cause collisions with other hosts’ packets
• Those hosts will exponentially backoff on packet loss, giving free channel to the misbehaving host
• Must diagnose and discourage!
Wireless channel
Access Point
A B
15
Solution 1: Passive Observation
• Receiver observes sender behavior. Are backoffs too short?
• Challenge: Receiver does not know exact backoff value chosen by sendero Sender chooses random backoffo Hard to distinguish between maliciously chosen
small values and a legitimate valueo How long must receiver observe?
16
Solution 2: Rx driven Backoff
• Remove the non-determinism
• Receiver provides backoff values to sendero Receiver specifies backoff for next packet
in ACK for current packeto Backoffs of different nodes still
independento Uncertainty of senders backoff eliminated
17
Misbehavior in Wireless NWs: Outline• Misbehavior at the MAC layer
o Impatient Transmitterso Solutions and Challenges
• Misbehavior at the network layer o Drop, corrupt packetso Misroute packetso Solutions and Challenges
18
Drop/Corrupt/Misroute
• A node “agrees” to join a route(for instance, by forwarding route request/reply) but fails to forward packets correctly
• Why: Conserve energy, overload, launch a denial-of-service attack
19
Solution: Watchdogs• Exploit broadcast nature• Verify whether a node has forwarded a packet or
not
B DC EA
B sends packet to C
20
Watchdogs at Work• B can ‘hear’ whether C has forwarded packet or
not• B can also know whether packet is tampered
with if no per-link encryption
B DC EA
C forwards packet to DB overhears CForwarding the packet
21
Watchdog At Work• Forwarding by C may not be immediate: B must
buffer packets, and compare them with overheard packets
• If packet stays in buffer at B too long, a “failure tally” for node C is incremented
• If the failure rate is above a threshold, C is determined as misbehaving, and source node informed
22
Watchdog Approach:Challenges
• Impact of Collisions• If A transmits while C is forwarding to D, B will not
know
B DC EA
C forwards packet to D
23
Watchdog Approach:Challenges
• Reliability of Reception Not Known• Even if B sees the transmission from C, it cannot
always tell whether D received the packet reliably
Misbehaving C may reduce power such that B can receive from C, but D does not
B DC EA
C forwards packet to D
24
Watchdog Approach:Challenges
• Misdirection of Packets• C forwards packets, but to the wrong node!• With DSR, B knows the next hop after C, so this
misbehavior may be detected
• With other hop-by-hop forwarding protocols, B cannot detect this
B DC EA
F
25
Solution 2: Exploiting Path Redundancy
• Design routing algorithms that can deliver data despite misbehaving nodes
• “Tolerate” misbehavior by using disjoint routes
• Prefer routes that deliver packets at a higher “delivery ratio”
26
Best-Effort Fault Tolerant Routing (BFTR)
• The target of a route discovery is required to send multiple route replies (RREP)o The source can discover multiple routes
(all are deemed feasible initially)
1. Source chooses a feasible route based on the “shortest path”metric
2. Source uses this route until its delivery ratio falls below a threshold (making the route infeasible)
3. If existing route is deemed infeasible, go to (1)
27
BFTR: Issues• A route may look infeasible due to temporary
overload on that route
• The source may settle on a poorer (but feasible) route
• No direct mechanism to differentiate misbehavior from lower capacity routes
28
Solution 3: Micropayments
• Provide incentive for relaying packets• A trusted third party: Accounting center• Three phases:• Communication:
o Source/dest issue payment receipts to intermediate nodes
• Receipt Submission:o Relays claim their payments
• Payment Redemption:o AC processes the receipts and issues payment
29
Route Tampering Attack
• A node may make a route appear too long or too short by tampering with RREQ
• By making a route appear too long, the node may avoid the route from being usedo This would happen if the destination replies to
multiple RREQ
• By making a route appear too short, the node may make the source use that route, and then drop data packets (denial of service)
30
Wormhole Attack• Attacker makes a wireless ‘link’
appear in the network when there isn’t one
• Not necessarily detrimental, since the additional link can improve performance
• Attacker assumes control on the fate of the traffico May analyze traffico Collect traffic for breaking encryption
31
Wormhole Attack • Host X can forward packets from F and E
unaltered • Hosts F and E will seem ”adjacent” to each other
• The fact that AFE really is AFXE will not be detected
B D
XE
A
F
C
32
Solution: Packet Leashes
• Additional information added to packets to restrict maximum transmission distance of a packet
• Geographical leasheso RX checks distance from the sendero Signature to authenticate sender location, timestampo Distance too large, reject the packet
• Temporal Leasheso Sender timestamps the packet, and receiver
determines the delay since the packet was sento If delay too large, reject the packeto Sender cannot know MAC delays
33
Wireless Misbehavior: Summary
• Hosts may be misbehave or try to compromise security at all layers of the protocol stack
• MAC Layero Disobey protocol specifications for selfish gainso Denial-of-service attacks
• Network Layero Disrupt route discovery/maintenanceo Force use of poor routes (e.g., long routes)o Delay, drop, corrupt, misroute packets
34
Talk Outline• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
35
Wireless Security Vulnerabilities
• Traffic Analysis• Passive Eavesdropping• Unauthorized Access• Man-in-the-middle• Session Hijacking• Replay Attack• Rogue AP• DoS Attacks• Pollution Attacks
36
Traffic Analysis• Need:oA wireless card in promiscuous
listening mode
• Threats:oDetect activity on the networkoUsing AoA, get physical location of
transmitteroType of protocols under use
37
Passive Eavesdropping• No physical security
protects against this!
• More than 50% APs use no encryption
• Attacker can get:Actual dataSource,
destination, timing of packets www.rsa.com/rsalabs/.../kaliski-wireless-security-wwc-
2003.ppt
38
Man-in-the-middle Attack
• Real-time attack• Read/modify data in transit
o Violate integrity
39
Session Hijacking• Attacker takes an authenticated session
• Target assumes its session is broken/lost
• Attacker can use the session for anything, for any amount of time
• Real time attack
• Integrity of session
40
Session Hijacking
Attacker
TargetWired Network
Wired Network
Attacker
Target
41
Replay• Similar to session hijacking except timing!
Wired Network
Attacker
Attacker
Target
TargetWired Network
42
Summary• Introduction to wireless networks
• How wireless is different
• Misbehavior in Wireless Networks
• Security Threats in Wireless Networks
WEP
Introduction to WEP• Original security protocol for IEEE 802.11
standard• Wired Equivalent Privacy – Create the “privacy
achieved by a wired network”• Considered as secure as a wired network• Primary Goal: Protect the confidentiality of user
data from eavesdropping• Based on RC4 algorithm, which is a symmetric
key stream cipher
WEP - Secret Key• Relies on a secret key that is shared between a
mobile station and an access point• Encrypt packets before they are transmitted, and
an integrity check to ensure that packets are not modified during transition
• Same key shared between all mobile stations and an access point in a network
WEP - Authentication
STA AP
Authenticate (request)Authenticate (challenge)Authenticate (response)Authenticate (success)
Stream Cipher Operation
Electronic Code Book Mode
Initialization Vectors (IV)
• Used to alter the key stream• Numeric value that is concatenated to the base
key before the key stream is generated• Every time IV changes, so does the key stream• 802.11 standard recommends that IV change on a
per-frame basis• If same packet is transmitted twice, the resulting
cipher-text will be different for each transmission
Encryption with IV
WEP Encryption• Checksum – uses CRC32• Encryption – uses RC4• Transmission –
ciphertext appended with IV
Message CRC
XOR
Keystream = RC4(IV,k)
CiphertextIV
WEP Decryption
Message CRC
XORKeystream =
RC4(IV,k)
CiphertextIV
Goals of Security• Authentication• Access control• Replay Protection• Message modification detection• Message privacy
1) Authentication• It is one party proving to other that he/she really
is who they claim to be.• Requirements:
(1) Robust method of proving identity that cannot be spoofed(2) Method of preserving identity over subsequent transactions that
cannot be transferred(3) Mutual authentication(4) Authentication keys independent from encryption keys
How rule 1 fails?• P XOR K = C
• C XOR P = KSTA
Bad STA
AP
Challenge
Plai
ntex
t (P)
Response + IV
Cipher
text
(C)
+ IVChallenge
Response + IV
2) Access Control• Process of allowing or denying a mobile device to
communicate with the network• IEEE 802.11 does not define any access control
mechanism• APs might use a list of acceptable MAC addresses• Problem? MAC address can be easily spoofed• Last line of defense? On receiving an IV error,
deny access to that station
3) Replay Detection• Legitimate user actions captured by an attacker• Attacker replays the message ( login response
message spoofing the MAC address )• WEP should allow only one copy of a message to
be accepted EVER• No protection whatsoever in WEP
Replay Attack
Authorized WEP communications
Good guy STA
Good guy AP
Bad guy (STA or AP)
Eavesdrop and record
Play back selections
4) Message modification
• To prevent tampering, WEP includes a check field called integrity check value(ICV).
• Problem? CRC method used to compute the ICV is called a linear method
• Thus, C (M XOR M’) = C(M) XOR C(M’)• Possible to predict what bits in ICV change on
changing a bit in data
Message modification• Let the message-CRC pair be <M, C(M)>• The corresponding ciphertext would be:
Ciph(M) = <M,C(M)> XOR K = K XOR <M,C(M)>• Suppose we want to change M by d:
Ciph(M) XOR <d,C(d)>= K XOR <M,C(M)> XOR <d,C(d)>= K XOR <M XOR d, C(M XOR d)>= K XOR <M’, C(M’)>= Ciph (M’)
5) Privacy• Weaknesses in the way RC4 is used in WEP:
1) IV Reuse2) Weak RC4 keys
Key Reuse• Encrypting two messages with same IV and key
can reveal information about both messages:C1 = P1 XOR RC4(IV,k)C2 = P2 XOR RC4(IV,k)C1 XOR C2 = P1 XOR P2
Key Reuse - Problems• XORing the two ciphertexts causes the keystream
to cancel out.• If one plaintext is known, other can be easily
calculated• Real-world plaintexts have enough redundancy so
that one can recover both P1 and P2• Known techniques for solving such plaintext XORs
by looking for two English texts that XOR to given value P1 XOR P2
How WEP deals with this?
• Use a different IV for every packet that is transmitted
• Problem?o IV is sent in plaintext form along with the transmitted packeto Attacker knows the IV as well
Possible Attack• Key rarely changes. • IV size is 24 bits.• Reuse of IV causes reuse of RC4 keystream• Since IV is public, duplicate IVs can be easily
detected by the attacker• Over a period of time, attacker can collect IVs and
corresponding ciphertexts
RC4 Weak Keys• RC4 has weak keys
– Greatly aids crypto analysis– There are standard techniques to avoid the
weak keys but WEP does not use these techniques.
• Airsnort and Wepcrack tools leverage weak keys
IEEE 802.11i
Introduction to 802.11i
• Addendum to the base standard that specifies new generation of security
• Defines a new type of wireless network called Robust Security Network(RSN)
Goals• Replace WEP by protocol that properly uses
encryption• Add proper authentication• Add data authenticity and integrity• Tie data link keys to authentication• Manufacture “fresh” keys
Security Service Dependencies
Data Confidentiality
Authentication
Authorization
Data Integrity
802.11i Architecture
PHY
MAC_SAP
MAC
802.1X Uncontrolled
Port
802.1X Controlled
Port
Station Management Entity
802.1XAuthenticator/
Supplicant
Data Link
Physical
PMD
802.11i State MachinesWEP/TKIP/CCMP
Data
TK
PTK PRF(PMK)(PTK = KCK | KEK |
TK)
Operation
72
Data protection
802.1X authentication
802.1X key management RADIUS-based key distribution
Security capabilities discovery
Authentication ServerAccess PointStation
Security negotiation
Discovery phase• Determine promising parties with whom to
communicate• AP advertises network security capabilities to STA via
beacon and probe responseo SSID in Beacon, Probe provides hint for right
authentication credentials• Performance optimization only; no security value
o RSN Information Element advertises• All enabled authentication suites• All enabled unicast cipher suites• Multicast cipher suite
• STA selects authentication suite and unicast cipher suite in Association Request
802.1x Authentication• STA determines whether it indeed does need to
communicate• Mutually authenticate STA and AS• Generate master key as a side effect of
authentication• Use master keys to generate session keys =
authorization token
Discovery and Authentication
Probe Request
Probe Response + RSN IE (AP supports CCMP Mcast, CCMP Ucast, 802.1X Auth)
802.11 Open System Auth
802.11 Open Auth (success)
Association Req + RSN IE (STA requests CCMP Mcast, CCMP Ucast,
802.1X Auth)
Association Response (success)
Access Point
Station
RADIUS phase• AS moves session key(PMK) to STAs AP
• Bind PMK to STA and AP• Confirm both AP and STA possess PMK• Generate fresh operational key (PTK)• Prove each peer is live• Synchronize PTK use
802.1x Key Management
Another look at the layers
802.11i Key Hierarchy
Key Confirmation Key (KCK) – PTK
bits 0–127
Key Encryption Key (KEK) – PTK
bits 128–255
Temporal Key – PTK bits 256–n – can have cipher suite specific structure
Pairwise Master Key (PMK) : 256 bit Access token
Pairwise Transient Key (PTK) = 802.11i-PRF(PMK, min(AP Nonce, STA Nonce) || max(AP nonce, STA Nonce) || min(AP
MAC Addr, STA MC Addr) || max(AP MAC Addr, STA MAC Addr))
Another look at the basic operation
Begin filtering non-802.1X data MPDUs
Begin filtering non-802.1X data MPDUs
AP
Association Request
Association Response
EAP type specific mutual authentication
4-Way Handshake
Group Key Handshake
Allow data MPDUs protected by
pairwise, group keys
Allow data MPDUs protected by
pairwise, group keys
STA
4-way handshake
EAPOL-Key(Reply Required, Unicast, ANonce)
Pick Random ANonce
EAPOL-Key(Unicast, SNonce, MIC, STA RSN IE)
EAPOL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE, GTK)
Pick Random SNonce, Derive PTK = 802.11i-PRF(PMK, ANonce || SNonce || AP MAC Addr || STA MAC Addr)
Derive PTK
EAPOL-Key(Unicast, MIC)
STA
PMK PMK
Key Management Summary
• 4-Way Handshakeo Establishes a fresh pairwise key bound to STA
and AP for this sessiono Proves liveness of peerso Demonstrates there is no man-in-the-middle
between PTK holders if there was no man-in-the-middle holding the PMK
o Synchronizes pairwise key use• Group Key Handshake provisions group
key to all STAs
Key Management Summary
Data Transfer Overview
• 802.11i defines 2 protocols to protect data transfer:o TKIP : Legacy deviceso CCMP: Better security for new devices
• Why two protocols instead of one?
TKIP• TKIP: Temporal Key Integrity Protocol• Designed as a wrapper around WEPoCan be implemented in softwareoReuses existing WEP hardwareoRuns WEP as a sub-component
TKIP Design Challenges
• Mask WEP’s weaknesses…o Prevent data forgeryo Prevent replay attackso Prevent encryption misuseo Prevent key reuse
• On existing AP hardwareo Utilize existing WEP off-load hardwareo Software/firmware upgrade onlyo Don’t unduly degrade performance
TKIP Design – Replay Protection
Protect against replay • reset packet sequence # to 0 on rekey • increment sequence # by 1 on each packet• drop any packet received out of sequence
Access Point
Wireless Station
Hdr Packet n
Hdr Packet n + 1
Hdr Packet n
CCMP• Mandatory to implement: the long-term
solution• Based on AES in CCM mode
o CCM = Counter Mode Encryption with CBC-MAC Data Origin Authenticity
o AES overhead requires new AP hardwareo AES overhead may require new STA hardware
for hand-held devices, but not PCs• An all new protocol with few concessions
to WEP• Protects MPDUs = fragments of 802.2
frames
Overview
• Use CBC-MAC to compute a MIC on the plaintext header, length of the plaintext header, and the payload
• Use CTR mode to encrypt the payloado Counter values 1, 2, 3, …
• Use CTR mode to encrypt the MICo Counter value 0
Header Payload MIC
Authenticated
Encrypted
Operation
Sm
Br
E ...
B1 Bk
Header Payload MIC
A1 E E A0 E
... 0
padding
0
padding
Bk+1...
... E
Sm...S1 S0
B0
E
...
CCMP Summary• Builds on the lessons learned from IEEE 802.11
and IPsec packet protocol designso Relies on proper use of strong cryptographic primitives
• Strong security against all known attacks• Requires new hardware
Data Transfer Summary
WEP TKIP CCMPCipher RC4 RC4 AESKey Size 40 or 104 bits 128 bits 128 bits
encryption,64 bit auth
Key Life 24-bit IV, wrap 48-bit IV 48-bit IVPacket Key Concat. Mixing Fnc Not NeededIntegrity
Data CRC-32 Michael CCMHeader None Michael CCM
Replay None Use IV Use IVKey Mgmt. None EAP-based EAP-based